1 files changed, 246 insertions, 0 deletions

diff --git a/debian/apache2.NEWS b/debian/apache2.NEWS
new file mode 100644
index 0000000..6b28c83
--- /dev/null
+++ b/debian/apache2.NEWS
@@ -0,0 +1,246 @@
+apache2 (2.4.10-2) unstable; urgency=low
+
+  The default period for which rotated log files are kept has been
+  reduced from one year to 14 days.
+
+ -- Stefan Fritsch <sf@debian.org>  Tue, 23 Sep 2014 22:25:06 +0200
+
+apache2 (2.4.1-1) unstable; urgency=low
+
+  This package introduces a new major release of the Apache HTTP server. It is
+  likely the site configuration needs changes to work with this release.
+  Notable changes which need special care are:
+
+  The module interface (ABI) has changed. If you have any locally compiled
+  modules, you have to re-compile them for apache2 2.4.
+
+  The authorization and authentication system has changed. Existing
+  configurations using deprecated Order/Allow/Deny directives need to be
+  upgraded to the new system. Please review upstream's "Authentication,
+  Authorization and Access Control Howto" [1]. There is a new module
+  "mod_access_compat", which is supposed to provide backward compatibility,
+  but it does not work well in practice.
+
+  Furthermore, MPMs are simple modules now. Thus, the MPM can be changed
+  at any time by (un-)loading a specific module. Be careful when upgrading. An
+  example of changing the MPM is given below:
+
+  a2dismod mpm_worker
+  a2enmod mpm_prefork
+
+  MPM ITK users should be advised, that ITK is not a MPM anymore. Instead, it
+  is a simple Apache module, expanding functionality of the prefork MPM. Thus,
+  users should switch to the prefork MPM and enable ITK as a module. The
+  upgrade scripts ensure this for the upgrade from Debian Wheezy.
+
+  We did change the security model for Apache in our default configuration. We
+  do not allow access to the file system outside /var/www and /usr/share.
+  If you are running virtual hosts or scripts outside these directories, you
+  need to whitelist them in your configuration to grant access through HTTP.
+  Special care must be taken if you are using a sub-directory in /srv to serve
+  your content as recommended by the File Hierarchy Standard (FHS). You must
+  allow access to your served directory explicity in the corresponding virtual
+  host, or by allowing access in apache2.conf as proposed.
+
+  Along the security model, we did also change the default Document Root, files
+  are served from. Previous releases served /var/www by default when no other
+  virtual host matched the request. Starting with this release, we changed the
+  default document root to /var/www/html, so that sensitive files from other
+  virtual hosts wich are typically put into some directory below /var/www are
+  not exposed by the default virtual host. This change further improves the out
+  of box security.
+
+  Moreover, the configuration mechanism in Debian has changed. All
+  configurations in sites-enabled and conf-enabled need a ".conf" suffix now.
+  The latter replaces the deprecated /etc/apache2/conf.d/ directory (which is
+  not supported any more) and works just like {sites,mods}-{available,enabled}
+  via the "a2enconf" tool. The upgrade tries to migrate known configuration
+  files from /etc/apache2/conf.d/ to /etc/apache2/conf-available/ - please
+  review these changes.
+
+  Note this means all existing sites are ignored until they get a ".conf"
+  suffix and are re-enabled by the use of a2ensite. The script in [3] can
+  automate that for simple cases. This change also includes Debian default
+  sites, so the default site has been renamed to 000-default to avoid naming
+  confusions. The rename of the config files to *.conf makes the special
+  handling inside apache2 to ignore *.dpkg-* backup files obsolete. This
+  special handling has been removed.
+
+  Users of mod_authn_dbm should switch to htdbm to manage their DBM user
+  databases. The pure-perl management utility "dbmmanage" was removed as it was
+  outdated and orphaned upstream.
+
+  Packagers are advised to review whether their packages comply with this
+  new version. Please see [2] for detailed documentation and instructions.
+
+  [1] http://httpd.apache.org/docs/2.4/howto/auth.html
+  [2] </usr/share/doc/apache2/PACKAGING>
+  [3] </usr/share/doc/apache2/migrate-sites.pl>
+
+ -- Arno Töll <arno@debian.org>  Fri, 23 July 2012 23:50:13 +0200
+
+apache2 (2.2.15-4) unstable; urgency=low
+
+  * Note to people using mod_proxy as forward proxy, i.e. with
+    'ProxyRequests on':
+    This release disables the configuration in mods-available/proxy.conf
+    by default. You should verify that access control for proxy access
+    still works as intended. This is especially important if you have
+    your forward proxy configuration in a different configuration file
+    than proxy.conf.
+
+ -- Stefan Fritsch <sf@debian.org>  Mon, 19 Apr 2010 22:36:57 +0200
+
+apache2 (2.2.15-1) unstable; urgency=low
+
+  * To fix a security vulnerability in the design of the SSL/TLS protocol
+    (CVE-2009-3555), the protocol had to be extended (RFC 5746). By default,
+    session renegotiation is no longer supported with old clients that do not
+    implement this extension. This breaks certain configurations with client
+    certificate authentication. If you still need to support old clients, you
+    may restore the old (insecure) behaviour by uncommenting the
+
+        SSLInsecureRenegotiation on
+
+    line in /etc/apache2/mods-available/ssl.conf
+
+  * This release adds and enables mod_reqtimeout, which limits the time
+    Apache waits for a client to send a complete request. This helps to
+    mitigate against certain denial of service attacks. In case of problems
+    with slow clients, the timeout values can be adjusted in
+    /etc/apache2/mods-available/reqtimeout.conf , or the module can be
+    disabled with "a2dismod reqtimeout".
+
+ -- Stefan Fritsch <sf@debian.org>  Sat, 28 Aug 2010 20:49:30 +0100
+
+apache2 (2.2.14-6) unstable; urgency=low
+
+  * Apache now uses the environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR,
+    and APACHE_LOG_DIR in the default configuration.  If you have modified
+    /etc/apache2/envvars, make sure that these variables are set and exported.
+  * There is now some support for running multiple instances of Apache on the
+    same machine. See the documentation in /usr/share/doc/apache2.2-common for
+    details.
+
+ -- Stefan Fritsch <sf@debian.org>  Sun, 07 Feb 2010 13:56:59 +0100
+
+apache2 (2.2.13-2) unstable; urgency=high
+
+  * The new support for TLS Server Name Indication added in 2.2.12 causes
+    Apache to be stricter about certain misconfigurations involving name
+    based SSL virtual hosts. This may result in Apache refusing to start
+    with the logged error message:
+
+        Server should be SSL-aware but has no certificate configured
+        [Hint: SSLCertificateFile]
+
+    Up to 2.2.11, Apache accepted configurations where the necessary SSL
+    configuration statements were included in the first (default)
+    <Virtualhost *:443> block but not in subsequent <Virtualhost *:443>
+    blocks. Starting with 2.2.12, every VirtualHost block used with SSL must
+    contain the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile
+    directives (SSLCertificateKeyFile is optional in some cases).
+
+    When you encounter the above problem, the output of the command
+
+        egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' \
+            /etc/apache2/*conf* /etc/apache2/*enabled
+
+    may be useful to determine which VirtualHost sections need to be changed.
+
+    Also, formerly accidentially working constructs like
+
+        <VirtualHost *:80 *:443>
+
+    where one virtual host definition is used for both a non-ssl and a ssl
+    virtual host do not work anymore. You can achieve a similar effect with
+
+        <VirtualHost *:80>
+        Include /.../vhost.include
+        </VirtualHost>
+        <VirtualHost *:443>
+        SSLEngine on
+        SSLCertificateFile ...
+        Include /.../vhost.include
+        </VirtualHost>
+
+ -- Stefan Fritsch <sf@debian.org>  Wed, 16 Sep 2009 20:14:59 +0200
+
+apache2 (2.2.9-3) unstable; urgency=low
+
+  * The directive "NameVirtualHost *" has been changed to "NameVirtualHost
+    *:80". It has also been moved from sites-available/default to ports.conf.
+    This allows to ship a proper SSL default virtual host config in
+    sites-available/default-ssl, but it means that if you use several name
+    based virtual hosts:
+    
+    - you will have to change <VirtualHost *> to <VirtualHost *:80> in your
+      name based virtual hosts
+
+    - you need to add more NameVirtualHost directives if you use other ports
+      than 80 with name based virtual hosts. You may also have to add these
+      ports to the default virtual host in /etc/apache2/sites-available/default
+      (like this: "<VirtualHost *:80 *:81>").
+    
+    If you prefer to revert to the old setup instead (and don't need the
+    default-ssl host), just change "NameVirtualHost *:80" back to
+    "NameVirtualHost *" in ports.conf and "<VirtualHost *:80>" to
+    "<VirtualHost *>" in sites-available/default.
+
+  * For mod_disk_cache, caching is again disabled in disk_cache.conf by
+    default. It usually makes more sense to enable this on a per-virtual host
+    basis.
+
+ -- Stefan Fritsch <sf@debian.org>  Mon, 30 Jun 2008 19:47:52 +0200
+
+apache2 (2.2.8-5) unstable; urgency=low
+
+  * The suexec helper program needed for mod_suexec is now shipped in a
+    separate package, apache2-suexec, which is not installed by default.
+    You need to install this package manually if you are using mod_suexec.
+
+    There is now also the apache2-suexec-custom package, which contains a
+    customizable version of suexec which can be used with different document
+    roots than /var/www.
+
+ -- Stefan Fritsch <sf@debian.org>  Sun, 04 May 2008 20:24:00 +0200
+
+apache2 (2.2.8-1) unstable; urgency=low
+
+  * The Apache User and Group and the PidFile path are now configured in
+    /etc/apache2/envvars, to make it easier to use them in scripts
+    (like the init and logrotate scripts, and apache2ctl).
+    If you have changed these settings from their default values, you need to
+    adjust /etc/apache2/envvars.
+    This also means that starting apache2 with "apache2 -k start" is no longer
+    possible, you have to use /etc/init.d/apache2 or apache2ctl.
+
+ -- Stefan Fritsch <sf@debian.org>  Tue, 15 Jan 2008 21:41:23 +0100
+
+apache2 (2.2.4-2) unstable; urgency=low
+
+  * This version introduces some changes in the configuration layout and
+    defaults. You will probably have to adjust your configuration accordingly.
+
+    - Module specific configuration has been moved from 
+      /etc/apache2/apache2.conf to /etc/apache2/mods-available/*.conf for the
+      following modules: 
+        actions          alias              autoindex
+        info             mime               negotiation
+        setenvif         status
+
+    - AddDefaultCharset is again disabled by default. See
+      /etc/apache2/conf.d/charset
+
+    - "Listen 443" is automatically enabled in /etc/apache2/ports.conf if
+      mod_ssl is enabled.
+
+  * The NO_START functionality from /etc/default/apache2 has been removed. If
+    you don't want to start apache2 on boot, rename the S*apache2 start
+    symlinks as usual.
+
+  * To ensure that the disk cache does not grow indefinitely, htcacheclean is
+    now started when mod_disk_cache is enabled. The details can be configured
+    in /etc/default/apache2 .
+
+ -- Stefan Fritsch <sf@debian.org>  Mon, 09 Jul 2007 21:50:58 +0200